Practicalities of implementing a GDPR compliance programme

Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) (GDPR) introduces a number of new requirements relating to the processing of personal data. One of the biggest changes is the principle of "accountability" and the requirement for data controllers to "be responsible for, and to be able to demonstrate compliance" with the principles relating to processing of personal data.

The accountability principle applies expressly to data controllers but, in practice, will also be required for data processors. This is by virtue of the fact that data controllers must choose data processors "providing sufficient guarantees to implement appropriate technical and organisational measures… [to] meet the requirements of the Regulation and ensure the protection of the rights of the data subject."

Many organisations operating in regulated industries or environments will be used to demonstrating how they comply with laws and regulations through established compliance programmes and processes. However the GDPR applies to the processing of personal data regardless of whether or not an organisation operates in a regulated industry or environment.

So what practical steps can your organisation take to demonstrate compliance under the GDPR through an established governance framework?

It is important to note that there are various ways in which data controllers and data processors can demonstrate compliance with the GDPR. There is 'no one size fits' all solution to demonstrating compliance. How you demonstrate compliance within your organisation will depend on a number of factors, including:

the personal data processed;

how and why you process personal data; and

the risks to the rights and freedoms of individuals when you process personal data.

Organisational culture will play a huge part in how you integrate the following steps.

Step 1 - Appoint a data protection officer or individual in a similar position

Any organisation processing personal data whether as a data controller or a data processor, should appoint an individual whose key responsibility is to ensure compliance with data protection legislation. For a data processer this can be a key when offering data processing services to data controllers. It demonstrates that compliance with data protection is just as important as the price of the services on offer.

The GDPR introduces the role of a 'data protection officer' who should be an individual with expert knowledge of data protection law and the ability to fulfil tasks set out in the GDPR.

But not all organisations will necessarily have a legal obligation to appoint a data protection officer. The requirement depends on whether or not the organisation is caught by the provisions of Article 37, which expresses a requirement for data controllers and data processors to appoint a data protection officer where the:

processing is carried out by a public authority or body;

core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Step 2 – Review your data processing activities

Once a data protection officer is in place it will be important for them to work with each business area to identify the specific privacy risks that the organisations is exposed to and how these can be mitigated or avoided.

This exercise should take the form of a data mapping exercise, resulting in the collection of the information set out in Article 30, which requires data controllers and processors to maintain a record of processing activities, including:

name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

purposes of the processing;

a description of the categories of data subjects and of the categories of personal data;

categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;

where possible, the envisaged time limits for erasure of the different categories of data;

where possible, a general description of the technical and organisational security measures in place to safeguard the data.

The output of the exercise should be used by the organisation to assess the level of privacy risk to which it is exposed, based on what personal data is processed, why it is processed, who it is shared with and the location in which it is processed.

Step 3 - Implement a GDPR compliance programme

Article 83 of the GDPR sets out details of factors to consider when imposing administrative fines. It is this that regulators will look at when deciding whether or not to levy a fine against an organisation for a breach of the GDPR.

The implementation of a GDPR compliance programme can be used to demonstrate the controls that an organisation has to comply with GDPR. This should assist in mitigating the risk of a fine being imposed or the level of fine received.

Elements which should be considered as part of a GDPR compliance programme include:

(a) Create and/or monitor privacy policies and procedures

These should be used to set out the standards your organisation expects of employees, consultants and contractors when they process personal data.

Privacy policies and procedures will need to set out clear guidance on how your organisation will ensure compliance with data protection requirements, including a clear explanation of what those requirements are and practical guidance on how to achieve compliance. Areas to cover include:

how to recognise and comply with individuals rights;

how and when your organisation uses data protection impact assessments;

dealing with data breaches and the notification of data breaches; and

the organisational and technical security measures in place to safeguard personal data.

Policies and procedures should be structured and written in an easy to use format. They need to be readily accessible to all individuals within your organisation who handle personal data. A key objective will be to demonstrate to regulators that staff are aware of your standards and that these are appropriate in relation to the privacy risks inherent in your organisation.

The time and effort that will be required to put in place appropriate policies, procedures and systems to comply with new requirements, such as data portability and data deletion rights should not be under-estimated.

A calendar of training should be established and rolled out throughout the organisation with updates taking place regularly. Bespoke training and or workshops should be provided to areas of your organisation which involve high risk or high volume processing, for example, marketing and HR.

(c) Implement and monitor organisational controls to comply with the GDPR

An exercise to determine which provisions of the GDPR will apply to your organisation should be undertaken and ownership should be allocated for compliance with these provisions.

Appropriate measures should be put in place to comply with GDPR requirements. The measures implemented should be tested to ensure that these are working as anticipated. For example, implementing background screening of employees with access to sensitive financial data to ensure that data is kept secure.

(d) Deal with the sharing of personal data with third parties and the use of third party data processors

Article 28 requires data controllers to choose data processors that have in place appropriate measures to meet the requirements of the GDPR. Procurement procedures will therefore need to be refreshed to expand due diligence not just to data security measures but also to wider GDPR compliance measures, with a particular focus on individuals' rights.

Consideration should also be given to the contracting process and the life cycle of your relationship with the data processor. This is so that all data processing contracts contain the minimum provisions as set out in Article 28. All data processing relationships are monitored to ensure that the data processor is only processing your personal data as anticipated and non-compliance with the GDPR is brought to your attention immediately.

Clear processes should be established when sharing personal data with other third parties. This is to ensure that you have the right to disclose personal data and that the person or organisation has a right to have access to the data in the first place,.

(e) Monitor issues with compliance with data protection legislation

Independent testing and quality assurance frameworks should be established to ensure that data protection processes and procedures are being adhered to.

Any instances of non-compliance should be logged and analysis undertaken to identify trends in non-compliance; vital in preventing minor data protection breaches from becoming an issue.

Processes must be established for reporting data breaches to the data protection officer to ensure that data breaches are brought to the attention of the regulator within the time frames laid down by the GDPR. Breach notification procedures must be tested regularly to ensure that they are being followed and are working effectively.

(f) Escalate concerns with compliance with data protection legislation to senior management or the board

Engagement and awareness from senior management is critical. In the event of a data breach a regulator will look at how engaged senior management have been, if they were made aware of the possibility of the data breach occurring and what they did or support they provided to prevent the breach from occurring.

With Elizabeth Denham calling for directors to be personally liable for data breaches and the looming prospect of significantly increased fines, now is the time to talk to senior management to get their backing for a comprehensive GDPR compliance programme.

Step 4 – Raising awareness

Simply having policies and procedures that are not embedded into organisational process or the culture of the organisation are unlikely to provide an adequate defence when something goes wrong.

Data protection must be brought to life and become second nature to those who are processing personal data. Therefore in addition to standard training on data protection requirements the use of workshops and real life scenarios should be used. Regular refreshers and reminders should also be implemented so that privacy starts to be thought of as a fundamental part of your organisation's culture rather than just a 'tick box' exercise.

Conclusions

We are still awaiting guidance from national regulators and the Article 29 Working Party on many practical GDPR implementation issues. But in order to be ready to comply with GDPR by May 2018 organisations need to start implementing a GDPR compliance programme now.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.